June 5, 2002

Think tank questioning Open Source security runs Apache on its Web site, but author defends study

- By Grant Gross -

If using Open Source software makes government computer systems susceptible to terrorists as a forthcoming white paper by conservative think tank Alexis de Tocqueville Institution claims, then ADTI's own Web site is at risk. ADTI.net runs a version of ... Apache.
This fact was pointed out by Richard M. Smith on Declan McCullagh's Politech email list. So I went to Netcraft.com and checked for myself. Sure enough: "The site www.adti.net is running Rapidsite/Apa/1.3.20 (Unix) FrontPage/4.0.4.3 mod_ssl/2.8.4 OpenSSL/0.9.6 on IRIX." Web host Rapidsite uses a customized of the Open Source Apache Web server, and Adti.net also runs OpenSSL, the Open Source Secure Sockets Layer toolkit.

ADTI president Ken Brown, whose white paper says Open Source software provides hackers/crackers its "blueprint," volunteers the fact that the site runs on Apache before I can ask him about it during a chat earlier today. "We're pro-Open Source here at de Tocqueville," he says.

My response to Brown: "Huh?"

Brown answers that his white paper specifically questions the security of the GNU General Public License, not other BSD-like Open Source licenses, such the Apache Software License, although the white paper's press release doesn't make the distinction. "[Open Source] is great for experimentation, and it's great for research," Brown says. "We're talking about national security, and when it comes to the whole issue of hacking a system, we conclude and we will defend to the end, that more information is better [for hackers/crackers]. If you provide more code, you're giving a [hacker] person more information. At the end of the day, you're educating people about what you've done, and we don't see any real benefit to that, especially if it's a bad person."

Editor's note: Here's a link to the study [DPF], apparently released June 10.

So BSD good, GPL bad? That sounds exactly like Microsoft's position lately, although I'm not sure what a big difference that makes in this case, because both licenses allow access to the source code. So the issue apparently is that seeing the source code, or the blueprint, isn't really the problem, but making the your changes available to others suddenly opens up all kinds of new security holes. Last time I checked, the GPL doesn't require you to share your passwords or upload your SSH key to Richard Stallman.

So we have a think tank that doesn't put its money where its mouth is. Smith, on Politech, also says the Alexis de Tocqueville Institution has gotten funding from Microsoft in the past, and a a story at Wired.com today confirms that. The think tank has been a Microsoft antitrust apologist in the past. (That's just one of more than a half dozen pro-Microsoft papers on ADTI.net, pointed out by OSDN programmer Jamie McCarthy on Politech.) Why isn't that a surprise?

Of course, Microsoft doesn't always put its money where its mouth is, either. Remember Microsoft's anti-Unix site Wehavethewayout.com, which was originally running FreeBSD?

I ask Brown about Microsoft funding for this specific study, and he says it's against ADTI's policy to comment on who funds its studies. I suggest that not disclosing the paper's financial backers may cause people to question the validity of the study.

Brown answers: "I have a lot of faith in the American people. If somebody wrote something tomorrow that everyone should move to California, people aren't going to get up and move to California. It has nothing to do with a travel organization funding the study, it has to do with common sense. We think that something should be challenged on its merits."

So Brown and I move on to the merits of the white paper's conclusions. He agrees when I suggest Microsoft products have a long history of security problems. "Our position is not that one system is better than another," Brown adds. "We never said that. Our paper is about Open Source, that's it."

Still, I press Brown on the Microsoft alternative to Open Source, given Brown's theory that Open Source can be exploited by terrorists. He claims "volunteer" organizations like Open Source projects don't have much of a chance of competing with huge corporate initiatives.

His reasoning: "You get 10 smart people together in a room, and they'll come up with some pretty good code. You get 100 smart people together, and they'll come up with some even better code ... and on and on from there, assuming there's some break-off point and somebody can't make it any better."

He continues: "Now, let's change the model from numbers of people to accountability, warranties, customer service, manuals, that kind of thing. You take an organization that doesn't have any accountability, that provides no warranties, no guarantees for its services, is not financially rewarded necessarily for providing its fixes, I don't think it can compare in efficiency to an organization that does. You can't say a volunteer group is necessarily always going to as efficient as a group that's contracted."

I don't even know where to start to respond to that statement. The hundreds of horror stories about getting tech support from Microsoft and other large computer companies run through my head. Brown has limited time to talk, so instead I suggest that people often do better work for volunteer organizations than their employers, because they're doing what they love, not what they're getting paid for.

"The fact is, I want a guarantee as a businessman, I want accountability," Brown answers.

Brown should talk to Microsoft about guarantees. One NewsForge reader points out something I'd nearly forgotten: The Windows End User License Agreement specifically disclaims any obligation of a warranty. It seems that Brown's holding Open Source up to a standard he doesn't expect from his past financial backer. And, besides, if you find a software company willing to sell you a system it guarantees can never be cracked, ask if it can add some snake oil to your order.

Okay, I point out, in the case of security, it appears as if the Open Source model somehow works better, especially when compared to Microsoft. Even when I take into account that many Microsoft products are used by millions of people, many of whom shouldn't have gotten a license to operate a computer in the first place, Open Source products seem to have fewer serious security problems, not to mention that Open Source bugs seems to get fixed a whole lot faster.

The "many eyes squash many bugs" explanation seems to hold water, and although most Open Source projects aren't created by 100 smart people sitting in a room together, the model Brown likes, they are created by hundreds of people talking on the Web together, and these are generally people who care as deeply about their projects as Boston Red Sox fans care about another late-season choke. No, most Open Source coders aren't paid, but neither are the rabid Red Sox fans.

"In the case of security, it appears that Open Source products have fewer security vulnerabilities," I say to Brown. "So somewhere, there's an efficiency there."

Brown seems to back off: "What we've been suggesting in our study ... is that this deserves more study. And that's where we stand. We think there should be a commission to do a rigorous test and do a study. We didn't do a [security] study comparing proprietary software to Open Source, and I'd like unbiased community of people to do this kind of study."

I point to studies like a recent one from Gartner Group that suggests Microsoft security would benefit from an Open Source-style review. But, I add, the Open Source community would probably welcome an unbiased study of that sort. So Brown and I finally find some common ground.

The white paper, which has gotten unquestioning coverage at places like ZDNet, is scheduled to be released Friday and will also include critiques about Open Source attitudes about intellectual property and Open Source. Brown, who says he has four years of experience writing about technology, authored the study with help from several others after more than six months of interviews about Open Source, he says.

I remain intrigued by Brown's assertion that showing the source code "blueprint" makes Open Source software more vulnerable to terrorists. That theory leaves out the assumption that sysadmins have a variety of tools at their disposal to make systems more secure. Most people who know much more about information security than I do would advise people worried about security to never install a default Web server or operating system, whether its Open Source or proprietary. You need to take the precautions available and keep up with the security updates, and you need to realize that no system is totally invulnerable.

As Brown says he has to get off the phone, I give him another blueprint scenario:

Let's pretend you and I are burglars, I tell him. We're considering breaking into two houses. We have the blueprint for the first house, let's call it the Open Source house. We know how the house is laid out, we know where the doors are, but we also know that there are locks on the windows, there are dead-bolt locks on all the doors, there's a burglar alarm installed, there are two 100-pound Rottweilers living inside, and the owner keeps a loaded double-barrel shotgun somewhere in the house.

Let's call the second house the Microsoft house. We don't have a blueprint, but we know the owner doesn't have locks on the windows, has no dogs, guns, or burglar alarm, and tends to leave the back door unlocked.

So, I ask Brown, which house are we going to break into? Does the blueprint really help us?

Brown doesn't have much of an answer to that.

Category:

  • Security
Click Here!